Researchers from the outstanding Citizen Lab at the University of Toronto (formerly) published their latest research on famous and prolific Israeli cyber-weapons dealer The NSO Group (formerly), one of the world’s leading suppliers of tools used by despots to spy on dissidents and opposition figures, often as a prelude to their imprisonment, torture and murder.
In today’s report, CACHE-CACHE, Citizen Lab researchers identify traces of NSO surveillance technology used in 45 countries – although some of these may be countries that victims of NSO surveillance have traveled to after being infected in another country.
The list of countries where NSO software operates includes some of the most notorious autocracies in the world, states where governments have shameful human rights records. Evidence suggests NSO has clients in states where trading with Israeli companies is prohibited, such as Bahrain and the United Arab Emirates.
On September 17, 2018, we then received a public statement from NSO Group. The statement states that “the list of countries in which NSO is supposed to operate is simply inaccurate. NSO does not operate in most of the countries listed.” This statement is a misunderstanding of our investigation: the list in our report is suspected NSO infection locations, it is not a list of suspected NSO customers. As we describe in Section 3, we observed DNS cache hits from what appear to be 33 separate operators, some of which appeared to be operating in multiple countries. Thus, our list of 45 countries necessarily includes countries that are not customers of the NSO Group. We describe additional limitations of our method in Section 4, including factors such as VPNs and satellite connections, which can cause targets to appear in other countries.
The NSO statement also claims that the “NSO Business Ethics Board, which includes outside experts from various disciplines including law and foreign relations, reviews and approves every transaction and is authorized to reject agreements. or cancel existing agreements in the event of improper use. “We have not seen any public details regarding the composition or deliberations of this committee, but we encourage NSO Group to disclose them. NSO’s statements about a business ethics committee are reminiscent of the example of the” panel external technical experts and legal advisers … who examines the potential sales “of Hacking Team. This” external panel “appears to have been a single law firm, whose recommendations of Hacking Team have not always followed.
The continued provision of services to countries with problematic human rights histories and where high profile spyware abuse has occurred raises serious doubts about the effectiveness of this internal mechanism, if one exists.
NSO Group Pegasus spyware tracking to operations in 45 countries [Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert/Citizen Lab]
Cyber Detectives Find Traces of Infamous Spyware for iPhone and Android “Pegasus” in 45 Countries [Lorenzo Franceschi-Bicchierai/Motherboard]